.webp)
In 2015, the National Security Agency sounded an unexpected warning: It recommended U.S. agencies and businesses prepare for Q-Day—the day that encryption as we know it today becomes obsolete. On Q-Day, practically all existing cyber defenses guarding digital records such as emails, financial data, and even national security information would be rendered obsolete by quantum computers.
“IAD [Information Assurance Directorate] will initiate a transition to quantum-resistant algorithms in the not too distant future,” read the NSA statement. That was about a decade ago, and if some estimates are to be believed, Q-Day may be right around the corner.
In one recent Forrester study, most industry experts hypothesized there’s a 50-70% chance of quantum computing cracking all current cryptosystems within the next couple of years. At the same time, the ‘spooky’ physics of subatomic particles that quantum computer-enabled internet exploits, could theoretically pave the way for unhackable encryption and communications.
The frantic scramble across organizations, from governments to tech giants like Google and Cisco, to preempt the threats and benefits of quantum computing is reminiscent of Y2K—a computer bug the world spent hundreds of billions of dollars to overcome. Could quantum computers be the once-in-a-generation game-changer for cybersecurity? Or would it end up no more than an incremental technological shift like Y2K, where the fear never materialized?
Much of the internet today leverages a form of protection called public-key cryptography. It utilizes math to compute a set of keys: one that’s publicly available and another that’s private. Anyone who can perform these calculations can gain access to a given system but that’s easier said than done. Even the world’s most powerful supercomputer would take years and endless resources to produce one private key, let alone compromise the security of a broad group of users.
However, the problem flips on its head in the case of a quantum computer, which processes information in a fraction of the time it would take its traditional counterpart. In the early 1990s, mathematician Peter Shor demonstrated, on paper, a quantum computer’s ability to decipher the public key encryption (PKE) algorithm, sparking a worldwide effort to build quantum-safe cryptography systems.
“Quantum computers will continue to advance rapidly,” says Michele Mosca, a quantum computing professor at the University of Waterloo in Ontario, Canada, “and it's absolutely imperative to be ready to mitigate the intrinsic cyber risks.”
Last month, the National Institute of Standards and Technology (NIST), a U.S.-based certification body, published its first set of ready-to-use post-quantum cryptography (PQC) standards. The result of an eight-year development effort, these standards establish the benchmark for withstanding cyberattacks from quantum computers and signal to enterprises, government agencies, and vendors that it’s time to begin transitioning.
The new standards make it more complex and resource-intensive to crack the cryptographic math. One method used, called Lattice-based cryptography (LBC), for example, swaps out the current prime number-based keys for a multi-dimensional infinite grid with points at the intersections of lines. To decipher the key, a machine would have to identify a specific point on it.
“The first imperative for enterprises is to migrate their public key cryptography to post-quantum public key algorithms,” adds Dr. Mosca, “and this will require a significant uplift in how cryptography is managed, and collaboration with vendors, regulators, and various third parties.”
While quantum computers are still not widely available at scale and aren’t expected to be for a couple more years, the transition to quantum-safe algorithms is already key to safeguard against “harvest now, decrypt later” attacks. In such a scenario, threat actors may accumulate encrypted information now assuming they’d be able to decrypt it once quantum technology is available.
“We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future,” said Alejandro Mayorkas, Secretary of Homeland Security.
However, quantum computing won’t just leave organizations vulnerable to new, novel kinds of attacks—it will also equip them with a hack-proof way to secure global communication and distributed information.
You see, the bits that power quantum computing—named qubits—can be entangled. This enables pieces of information that are separated, even by significant distances, to correlate and interact with each other instantaneously such that the measurement of state for a single particle lets one predict the state for others. Combine this with the fact that measuring such a quantum state disturbs the system itself and you have Quantum Key Distribution (QKD), in which data owners can automatically choose to hide the data once an anomaly is detected such as when a third party attempts to eavesdrop.
“The quantum internet in the form of Quantum Key Distribution has the advantage of being information-theoretically-secure,” says Michael Kues, the head of the Institute of Photonics at the Leibniz University Hannover, Germany, and is a step forward to “quantum-safe” algorithms “that only circumvent certain current threads of specific quantum computer algorithms.”
Ushering a QKD-powered infrastructure into reality, however, is an uphill climb. The bottleneck is the physics behind quantum computing itself. Keeping qubits stable over long distances is a challenge because they are notoriously fragile sub-atomic particles, and therefore, their states are easily disrupted. With the help of hybrid technologies and repeaters, though, significant progress has been made in the last couple of years. China, for example, now has a 1,263-mile quantum link between Beijing and Shanghai. Last month, research from Dr. Kues also proved how it could be possible to integrate and transmit quantum internet qubits via conventional internet channels.
Cybersecurity historically has favored attackers, but as long as physical security measures are frequently updated, “quantum internet will enable new kinds of cryptography that do fundamentally favor the defense side of things,” Dr. Mosca told Access Point Consulting.
“This rarely happens in cyber security, so we're excited to usher in these new tools,” added Dr. Mosca. But to truly leverage the quantum computing era, organizations will need to provide sufficient cryptographic diversity and defense-in-depth to ensure that a future cryptographic algorithm break won't be catastrophic.
Adobe released a patch for a suspected zero-day vulnerability in Adobe Reader, identified as CVE-2024-41869. This vulnerability, a Use After Free (UAF) issue, can lead to arbitrary code execution, system crashes, or the return of unexpected values.
Hospitals and healthcare providers have increasingly become targets of cyberattacks, which pose significant risks to patient care and safety. This document examines the various ways in which cyberattacks can disrupt hospital operations, compromise patient data security, and ultimately affect the quality of patient care. It also explores strategies and best practices that hospitals can implement to mitigate these risks and enhance their cybersecurity posture.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
